# 定义执行的命令
def all_cmd(rootdir, temp_path, start_time, end_time):
    get_security_4625_cmd = f'LogParser -q -i:EVT -o:csv "select EventID,TimeGenerated,EXTRACT_TOKEN(Strings,5,\'|\') as User,' \
                            f'EXTRACT_TOKEN(Strings,10,\'|\') as EventType , EventTypeName ,EXTRACT_TOKEN(Strings,9,\'|\') as FailureReason, EXTRACT_TOKEN(Strings,19,' \
                            f'\'|\') as IP,EXTRACT_TOKEN(Strings,20,\'|\') as port from {rootdir}/data/Security.evtx where EventID = 4625 and TimeGenerated> \'{start_time}\' and TimeGenerated< \'{end_time}\' ' \
                            f'">{temp_path}/4625.csv '
    get_security_4624_cmd = f'LogParser -q -i:EVT -o:csv "select EventID,TimeGenerated,EXTRACT_TOKEN(Strings,5,\'|\') as User,' \
                            f'EXTRACT_TOKEN(Strings,8 ,\'|\') as EventType , EventTypeName , EXTRACT_TOKEN(Strings,18,' \
                            f'\'|\') as IP,EXTRACT_TOKEN(Strings,19,\'|\') as port from {rootdir}/data/Security.evtx where EventID = 4624 and TimeGenerated> \'{start_time}\' and TimeGenerated< \'{end_time}\' ' \
                            f'">{temp_path}/4624.csv '
    get_security_4648_cmd = f'LogParser -q -i:EVT -o:csv "select EventID,TimeGenerated,EXTRACT_TOKEN(Strings,5,\'|\') as User,' \
                            f'EXTRACT_TOKEN(Strings,14,\'|\') as EventType , EventTypeName , EXTRACT_TOKEN(Strings,12,' \
                            f'\'|\') as IP,EXTRACT_TOKEN(Strings,13,\'|\') as port from {rootdir}/data/Security.evtx where EventID = 4648 and TimeGenerated> \'{start_time}\' and TimeGenerated< \'{end_time}\' ' \
                            f'">{temp_path}/4648.csv '
    get_LocalSessionManager_rdp_cmd = f'LogParser -q -i:EVT -o:csv "select TimeGenerated,EventID,EventType,EXTRACT_TOKEN(Strings,0,' \
                                      f'\'|\') as User,EXTRACT_TOKEN(Strings,1,\'|\') as ID, ComputerName, EXTRACT_TOKEN(Strings,2,\'|\') as IP from ' \
                                      f'{rootdir}/data/Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx where TimeGenerated> \'{start_time}\' and TimeGenerated< \'{end_time}\' ">{temp_path}/rdp.csv '
    get_RemoteConnectionManager_remote_cmd = f'LogParser -q -i:EVT -o:csv "select TimeGenerated,EventID,EventType,EXTRACT_TOKEN(Strings,0,' \
                                             f'\'|\') as User,EXTRACT_TOKEN(Strings,1,\'|\') as ID, ComputerName, EXTRACT_TOKEN(Strings,2,\'|\') as IP from ' \
                                             f'{rootdir}/data/Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx where TimeGenerated> \'{start_time}\' and TimeGenerated< \'{end_time}\' ">{temp_path}/remote.csv '
    get_security_4728_33_29_32_cmd = f'LogParser -q -i:EVT -o:csv "select EventID,TimeGenerated,EXTRACT_TOKEN(Strings,6,\'|\') as SourceUser,EXTRACT_TOKEN(Strings,0,\'|\') as TargetUser,' \
                                     f'EventType, EventTypeName  from {rootdir}/data/Security.evtx where EventID=4728 or ' \
                                     f'EventID=4733 or EventID=4732 or EventID=4729 and TimeGenerated> \'{start_time}\' and TimeGenerated< \'{end_time}\' " >{temp_path}/user_4728_33_29_32.csv '
    get_security_4720_26_22_cmd = f'LogParser -q -i:EVT -o:csv "select EventID,TimeGenerated,EXTRACT_TOKEN(Strings,4,\'|\') as SourceUser,EXTRACT_TOKEN(Strings,0,\'|\') as TargetUser,' \
                                  f'EventType , EventTypeName  from {rootdir}/data/Security.evtx where EventID=4720 or ' \
                                  f'EventID=4726 or EventID=4722 and TimeGenerated> \'{start_time}\' and TimeGenerated< \'{end_time}\' " >{temp_path}/user_4720_26_22.csv'
    get_security_4738_cmd = f'LogParser -q -i:EVT -o:csv "select EventID,TimeGenerated,EXTRACT_TOKEN(Strings,5,\'|\') as SourceUser,EXTRACT_TOKEN(Strings,1,\'|\') as TargetUser,' \
                            f'EventType , EventTypeName  from {rootdir}/data/Security.evtx where EventID=4738 and TimeGenerated> \'{start_time}\' and TimeGenerated< \'{end_time}\' " >{temp_path}/user_4738.csv'
    get_security_schtasks_cmd = f'LogParser -q -i:EVT -o:csv "select EventID,TimeGenerated,EXTRACT_TOKEN(Strings,1,\'|\') as User,EXTRACT_TOKEN(Strings,4,\'|\') as SchtasksName,' \
                                f'EventType , EventTypeName  from {rootdir}/data/Security.evtx where EventID=4698 or EventID=4699 or EventID=4700 or EventID=4701 or EventID=4702 and TimeGenerated> \'{start_time}\' and TimeGenerated< \'{end_time}\' " >{temp_path}/schtasks.csv'
    get_security_1102_cmd = f'LogParser -q -i:EVT -o:csv "select EventID,TimeGenerated,EXTRACT_TOKEN(Strings,1,\'|\') as User,EXTRACT_TOKEN(Strings,2,\'|\') as Domain,EXTRACT_TOKEN(Message,0,\' \') as Message' \
                            f' from {rootdir}/data/Security.evtx where EventID=1102 and TimeGenerated> \'{start_time}\' and TimeGenerated< \'{end_time}\' " >{temp_path}/1102.csv'
    return get_security_4624_cmd, get_security_4625_cmd, get_security_4648_cmd, get_LocalSessionManager_rdp_cmd, get_RemoteConnectionManager_remote_cmd, get_security_4738_cmd, get_security_4720_26_22_cmd, get_security_4728_33_29_32_cmd, get_security_schtasks_cmd, get_security_1102_cmd

